Webmail accessive Dovecot logins
Hello,
I've seen this issue before, running a imap/smtp/database server on localhost and adding in a webmail interface, in this case Roundcube.
In my maillog I'm seeing accessive Dovecot connections and logouts just from my own transaction of logging in, going to compose a message, sending, and logging out.
I'm using Mysql as database backend and was wondering if there was something I could do to cut down on the amount of connections needed?
I'm running 2.2.19 on a FreeBSD 10.2 system.
I'm not sure what other information to provide, here's the relevant log and a doveconf -n.
Second question, in the doveconf -n there's reference to my ssl_cipher am I using current tls ciphers that support pfs?
Thanks. Dave. Oct 29 20:51:21 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=71405, secured, session=<6Px600cja6cAAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:21 server dovecot: imap(xxx): Disconnected: Logged out in=82 out=763 Oct 29 20:51:22 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=72189, secured, session=<c8eL00cjxXYAAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:22 server dovecot: imap(xxx): Disconnected: Logged out in=70 out=932 Oct 29 20:51:29 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=74281, secured, session=<AQz100cj378AAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:29 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=74927, secured, session=<fH3100cjQ5AAAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:29 server dovecot: imap(xxx): Disconnected: Logged out in=439 out=1702 Oct 29 20:51:29 server dovecot: imap(xxx): Disconnected: Logged out in=326 out=24327 Oct 29 20:51:45 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=75557, secured, session=<3tjm1EcjsjUAAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:45 server dovecot: imap(xxx): Disconnected: Logged out in=32 out=521 Oct 29 20:51:46 server dovecot: imap-login: Login: user=<xxx>, method=PLAIN, rip=::1, lip=::1, mpid=77051, secured, session=<N6311EcjlbQAAAAAAAAAAAAAAAAAAAAB> Oct 29 20:51:46 server dovecot: imap(xxx): Disconnected: Logged out in=44 out=799
doveconf -n # 2.2.19: /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.9 (357ac0a0e68b+) # OS: FreeBSD 10.2-RELEASE amd64 ufs auth_default_realm = domain.com auth_mechanisms = plain login dict { sqlquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_gid = 999 first_valid_uid = 999 hostname = xxx@domain.com imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags last_valid_gid = 999 last_valid_uid = 999 lmtp_rcpt_check_quota = yes mail_gid = vmail mail_home = /home/vmail/%d/%n/home mail_location = maildir:/home/vmail/%d/%n:LAYOUT=fs mail_plugins = acl quota zlib mail_server_admin = mailto:postmaster@domain.com mail_uid = vmail mailbox_list_index = yes maildir_broken_filename_sizes = yes maildir_empty_new = yes maildir_stat_dirs = yes maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate namespace { list = yes location = maildir:/home/vmail/public:LAYOUT=fs prefix = public/ separator = / subscriptions = yes type = public } namespace inbox { hidden = no inbox = yes list = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / subscriptions = yes type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { quota = dict:User quota::proxy::sqlquota quota_grace = 10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO sieve_default = /home/vmail/conf.d/domain.com/sieve/default.sieve } postmaster_address = postmaster@domain.com protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-login { inet_listener imap { address = } inet_listener imaps { ssl = yes } } service lmtp { unix_listener dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12345 } } ssl = required ssl_cert =
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 29 Oct 2015, David Mehler wrote:
I've seen this issue before, running a imap/smtp/database server on localhost and adding in a webmail interface, in this case Roundcube.
In my maillog I'm seeing accessive Dovecot connections and logouts just from my own transaction of logging in, going to compose a message, sending, and logging out.
I'm using Mysql as database backend and was wondering if there was something I could do to cut down on the amount of connections needed?
:-) don't connect so often.
I guess with "from my own transaction" you mean a transaction in roundcube?
http://trac.roundcube.net/wiki/Howto_Config/Performance "Use a caching IMAP proxy"
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVjMb+3z1H7kL/d9rAQIf7wgAuX4CLKqlScNUhbIdVLGHWjkJbdEsGlds TYvNvgMSzV/ga2yCZvXBQuSJgsAmPcw0u5r8cQ/giOg6RD8JNhDarCzW0EVsjcoh NwKv/WuRpMS5dOw5F3WWgtJnP55upulYN4EvmYilxuO9XGsVYdzmR/TlXae/Urw9 n31YLVrMkE7DzSm5JSUhUBOKT+u3yCLdQ7MYzDeH9G1Tt6el3ZOZSOWRhgwSngTz cwuPM84Q6kxifxdMibfMF8CwX2RwBbigstheQaJQH6l6vypvyjT7WMO3XRKxkBfZ MIQCoI6nv1iYArN3Cdlt25IfZEucTvzRRaYD86LtA9z3H4X+YXy8FA== =bbSN -----END PGP SIGNATURE-----
David Mehler:
Second question, in the doveconf -n there's reference to my ssl_cipher am I using current tls ciphers that support pfs?
ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
some non pfs cipher would be still active. check yourself: # openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH
you disable the SSLv3 *cipher list* here. That's may be not the
expected result.
The *cipher list* SSLv3 is also used by TLSv1+ *protocols*.
I suggest reading (again?)
https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_protocols = TLSv1 !SSLv3 !SSLv2 that disable SSLv2, SSLv3 but would also disable TLSv1.1 and TLSv1.2
your ssl library may support otherwise.
better: ssl_protocols = !SSLv3 !SSLv2
finally you could use the service provided by ssllabs.com to scan your host.
It's a little bit tricky. ssllabs allow only to scan on port 443
So you may configure your host for imaps ( not imap + STARTTLS ) on port 443
and use ssllabs.com. But that require you do not run a regular HTTPS
webserver on the same host.
Andreas
participants (3)
-
A. Schulze
-
David Mehler
-
Steffen Kaiser